Hi,

basically I am trying to achieve what's documented in

http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704

(using ASDM: "crypto ca import" = Remote Access VPN -> Certificate Management ->  Code Signer -> Import)

I give it a complete PKCS12 bundle (unencrypted private key + certificates up to the root CA) to the ASA.

I can indeed verify that it has been imported correctly by exporting it again:

  crypto ca export CodeSignerBundle pkcs12 1234

It shows me the private key and all the certificates.

However, the jars used in WebVPN, while carrying the correct certificate, don't have a full certification chain at their disposal:

Using jarsigner -verify I see on a random file from the jar:

sm       905 Fri Nov 30 00:00:00 CET 1979 Java/lang/CpUtf8.class

      X.509, CN=COMMONNAME, O=ORGANIZATION, L=LOCATION, ST=STATE, C=COUNTRY

      [certificate is valid from 8/1/13 4:30 PM to 8/1/16 4:30 PM]

      X.509, CN=LuxTrust Qualified CA, O=LuxTrust S.A., C=LU

      [certificate is valid from 6/5/08 11:25 AM to 10/18/16 12:40 PM]

      [CertPath not validated: Path does not chain with any of the trust anchors]

Indeed the certificate file inside the jar (META-INF/.....RSA) does not contain what I uploaded to the ASA. One of the intermediary certificates is missing (while another certificate is listed twice).

What could be the problem here? (ASA v8.2(5))

Thanks for any help,

Marki